If you are looking to assign users network permissions may I suggest you look into the open source enterprise NAC called PacketFence, we are using it with great success.
No use reinventing the wheel, especially when you can get a really tricked out wheel for free : ) Jake Sallee Godfather of Bandwidth Network Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________________ From: freeradius-users-bounces+jake.sallee=umhb....@lists.freeradius.org [freeradius-users-bounces+jake.sallee=umhb....@lists.freeradius.org] on behalf of Alan DeKok [[email protected]] Sent: Friday, February 10, 2012 3:37 PM To: FreeRadius users mailing list Subject: Re: LDAP Binding NdK wrote: > Can't create "users" in AD. Just machine accounts. That's a local policy which can be changed. AD is perfectly capable of creating read-only administrator accounts. It's what everyone else does. > Maybe it's possible > to use the (or "a dedicated") *machine* account credentials? No. > Reading FR docs it seems it's something to avoid whenever possible. > Since there's an internal ldap module, I thought it could be possible to > use it. Yes. > I need to determine if/what to return in 'access-accept' when an user > authenticates to a switch. See the switch documentation for what to return in an Access-Accept. Every switch vendor has their own idea of what is "normal". > - students (determined by *domain* membership) receive a VLAN membership > - administrators (determined by *domain* and *group* membership) receive > *no* VLAN memberships (so they can access all the VLANS configured for > that switch port, as said on the wiki for HPs) > - "regular" users receive VLAN membership for a different VLAN than > students (preventing 'em to tamper with administration VLAN) That should all be straightforward. Write a shell script which implements those rules. Test it. Port the same rules to the internal FreeRADIUS LDAP module && unlang. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
